- December 31, 2016
- Posted by: Syed Shujaat
- Category: Networking Solutions, Uncategorized
AD Group Scope
There are two group types when we talk about Groups in Active Directory which are Distribution groups and Security groups.
- Distribution groups are used primarily by email applications. These groups are not security enabled—they do not have SIDs—so they cannot be given permission to resources. Sending a message to a distribution group sends the message to all members of the group.
- Security groups are security principals with SIDs. These groups can therefore be used in permission entries in ACLs to control security for resource access. Security groups can also be used as distribution groups by email applications. If a group will be used to manage security, it must be a security group.
Based on the group scope, there are four different types. They are Local, Domain Local, Universal, and Global groups.
Local Groups: Local groups are truly local—defined on and available to a single computer. Local groups are created in the security accounts manager (SAM) database of a domain member computer — both workstations and servers have local groups.
Domain Local Groups: Domain local groups are used primarily to manage permissions to resources.
Global Groups: Global groups are used primarily to define collections of domain objects based on business roles.
Universal Groups: Universal Groups can have members from any domain in the forest.
I have this table which will summarize different types of groups and their use cases in a real environment.
Power shell Commands to Setup new AD Group with Desired Group Scope.
$rootDN = (Get-ADDomain).DistinguishedName
In the above line, I am setting a variable called rootDN which will basically contain the name of my domain. We are doing this so that we do not have to keep typing the same thing over and over again.
So let us go ahead and create a distribution group called DL-HR, and it will be a domain local group within the HR OU of our root domain.
New-ADGroup -Path "OU=LA-HR,$rootDN" -Name "DL-HR" -GroupScope DomainLocal -GroupCategory Distribution